The rise in cybersecurity incidents should sound the alarm bells for law firms and legal professionals alike. State bar authorities across the country have reported that lawyers are being specifically targeted by those carrying out cybercrimes, including data breaches and ransomware attacks. These incidents are becoming more prevalent and even harder to detect given the increased use of and reliance on technology by attorneys in connection with the practice of law. This article discusses the obligations that practitioners have when it comes to cybersecurity and practicing law, steps that can be taken to defend against and respond to cybersecurity incidents, and potential consequences from the failure to act.
The Duties of Technological Competence and Safeguarding Client Information, Funds, and Property
A lawyer’s duty to keep up with advancements in technology that impact the practice of law stems from the ethical obligation of competence rooted in ABA Model Rule 1.1. As a comment to the Rule explains, “[t]o maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology[.]” Comment [8] to ABA Model Rule 1.1. There is also an ethical duty to take reasonable measures to safeguard client information entrusted to the lawyer and to prevent its unauthorized disclosure. See ABA Model Rule 1.6(c)(“A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.”); see also ABA Comm. on Ethics & Prof’l Responsibility, Formal Op. 483 (Oct. 17, 2018)(“When a data breach occurs involving, or having a substantial likelihood of involving, material client information, lawyers have a duty to notify clients of the breach…”).
ABA Model Rule 1.15(a) further requires the safekeeping of funds and other property of a client or third party that is in a lawyer’s possession “in connection with a representation[.]” Whether an attorney trust account holds a portion of an unearned retainer or the proceeds from a commercial transaction, a lawyer’s obligation extends to ensuring that those funds are appropriately safeguarded, including from potential hackers. In ABA Formal Op. 483, the Committee explained “a lawyer’s ethical responsibility to use reasonable efforts when communicating client confidential information using the Internet[,]” which necessarily includes receiving or relaying such information as routing numbers, passwords, and confidential personal identifiers.
Practical Considerations and Proactive Measures
In order to detect potential cyber threats, like phishing scams and spoofing attacks, attorneys need to be familiar with how incidents occur and what they can do to minimize their exposure. This begins with practitioners and law firms reviewing their existing cybersecurity policies which should address, at a minimum, the use of certain technologies, protecting client data, security measures, and incident response protocols.
As an initial matter, a cybersecurity policy must be enforced at every level of a law practice, including for attorneys, paralegals, legal assistants, and other employees. Organizations should strive for annual cybersecurity training that exposes all employees to recent trends in cybersecurity incidents, threats, and tactics. When business is conducted on personal devices such as smart phones or laptops, be sure to implement multifactor authentication processes across networks and workstations. An incident response protocol (“IRP”) can go a long way in mitigating the harm from cybersecurity incidents and prevent further and unnecessary damage. IRPs should address what and how specific incidents are responded to by members of an organization. This includes, for example, the processes needed for data and information collection or preservation, reporting mechanisms and notice requirements, as well as backup and retention logs. IRPs can save valuable time and ensure that every incident is fully responded to and documented.
Potential Consequences from Cybersecurity Incidents
The tactics involved in data breaches and ransomware attacks have evolved and become more sophisticated over time, causing even the most tech-savvy among us to do a double-take on a seemingly routine e-mail with what appear to be benign attachments. Cybersecurity threats can come in the form of, among other things, phishing scams and spoofing attacks. Regardless of form, however, any cybersecurity incident can have potentially far-reaching consequences, including the unauthorized access to a client’s financial or medical records, or the release of commercial trade secrets and confidential business records. See, e.g., In re Mondelez Data Breach Litig., Nos. 23-C-3999, 23-C-4249, 2024 U.S. Dist. LEXIS 97948, at *12 (E.D. Ill. June 3, 2024)(denying law firm-defendant’s motion to dismiss negligence claims in consolidated class-action arising out of a data breach incident involving client information held by law firm-defendant, and rejecting, among other things, the argument that “they had no duty to protect plaintiffs’ personal information.”).
In the face of cybersecurity incidents, law firms and lawyers may face potential malpractice, negligence, and privacy-related claims. See In re Mondelez Data Breach Litig., supra at *2-*3. Clients and affected third parties may also file ethics complaints or grievances with state bar authorities based on relevant RPCs. See, e.g., ABA Model Rules 1.1, 1.6(c), & 1.15(a). Further, there may even be grounds for statutory claims involving HIPAA and the like. Hackers can gain access to sensitive and confidential client information being held by law firms and lawyers, potentially resulting in reputational harm, extortion, demands for ransom in exchange for stolen data, and other costs.
The Bottom Line
Given the pervasiveness of cybersecurity incidents in contemporary law practice, the question can no longer be framed in terms of if, but when an incident will occur. Attorneys and law firms can and should keep up with evolving technologies to stay ahead of the curve when it comes to navigating cyberthreats and cybersecurity. In addition to staying informed, attorneys should review or craft an internal cybersecurity policy, implement safety features on electronic devices, and take proactive action by maintaining an updated incident response plan.
Reprinted with permission from the June 14, 2024 edition of The Legal Intelligencer © 2024 ALM Global Properties, LLC. All rights reserved. Further duplication without permission is prohibited, contact 877-256-2472 or reprints@alm.com.